U.S. Congress Finally Gets Some Good Ideas About IoT Security

In 2016, attacks such as the Mirai botnet took down several popular websites, and in doing so, brought attention to the need for security for Internet of Things (IoT) devices. Since then, the U.S. Congress has made attempts to pass legislation around IoT security, including a lame attempt in 2017, when senators introduced a bill that would prevent the government from buying connected devices that had one of a small number of glaring security flaws. Once again, Congress is trying to pass legislation, but this time around, there’s more to like in the bill.

Some security experts worry that this two-step approach will lead to lower security standards for agencies, because even if NIST produces strong standards, OMB could tell some or all agencies to ignore parts or even all of the standards. But that isn’t necessarily a bad thing: The National Park Service probably doesn’t require the same security guidelines that the Department of Defense requires.

I’ve learned, in covering IoT for seven years, that there are two crucial rules that form the foundation for any good legislation. The first is an understanding that good security is all about thinking about security in the first place. This may sound obvious, but if you’re buying infusion pumps for a Veterans Affairs Hospital, you’re probably focused on buying the best infusion pump, not on securing it against cyberthreats. But with the IoT, security must be part of the basic functionality, and so security professionals should be deeply involved in the design and procurement of devices. The second rule for good security legislation is that government agencies must understand that in a connected world, good security is an ongoing process, not something you can set and forget.

That’s why it’s encouraging to see that the bill would require NIST to evaluate device security every five years and update the government’s standards. Sure, five years may be an eternity in the world of connected devices and technology exploits, but it’s a start.

I have no idea if the bill will even get out of committee, or how it will look if it does, but as it stands, I’d add a few more elements that could help round it out. First, I’d love for NIST to have a budget secured for creating the list of vulnerabilities and security elements, and then for managing vulnerability disclosures going forward.

I’d also like to see some remediation plan for all of the currently insecure devices the government has under its purview. The government uses computerized and connected devices in a huge number of places, including weaponry systems for missile interception and wildlife tracking in national parks. Obviously, a lack of security is more unnerving when missiles, rather than caribou, are involved, but the government should be thinking about how to secure what’s out there, not just what it buys after a cybersecurity bill takes effect.

This article appears in the May 2019 print issue as “IoT Security Goes to Washington.” [READ MORE]